There is an possibility to make the Login for Windows Hello with your front Cam on a Surface Book or other Devices with the right Hardware, more secure as just show them your face.
You can also enable that a user have to move the face slowly from left to right, that is a more scure loging methode, but for the User it is more time to use that before the loging can run.
I run in to this by adding Compliance settings in Intune, for devices that do a AAD-Join when a new device is rolled out.
First Things First.
Log in on your Microsoft Intune Portal, go to the Admin Workspace, then expand the Mobile Device Management/Windows/Passport for Work
There is a setting very down that is calling: Use enhanced anti-spoofing, when available:
there are tree options, yes, no and not configure.
If you say:
no = if you select no there is a new setting visible on the device:
not configured = nothing happens and the User can insert that by him self, not really, nothing happen and you can’t see anything on the client.
yes = there are a new feature coming up on a AAD-Joined device, and enables the setting:
in both ways the setting above “Automatically unlock the screen if we can recognize your face” will be turned on. This setting is also configurable in Intune it’s calling “Allow biometric authentication”.
If you set to not configured, the user can enable or disable it every time he like.
If you Look your screen or make a reboot, there is now on the Windows Hello Logon-page that you have to move your face from left to right for a higher security login.
When you change the Settings in MS Intune you can go to:
and sync the settings. It takes a while to sync.
In my Lab I rejoined the device to AAD, that was the faster way to get the new settings.
Hope it helps and bring you a little light to the tunnel.
Remember, this post is as is, test it first in a LAB before implement in Production.